Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single User Mode #946

Open
1 of 2 tasks
mlucool opened this issue Mar 15, 2021 · 6 comments
Open
1 of 2 tasks

Single User Mode #946

mlucool opened this issue Mar 15, 2021 · 6 comments
Labels
enhancement future Postpone for future consideration. May be closed and re-opened later. runtime security

Comments

@mlucool
Copy link

mlucool commented Mar 15, 2021
edited by akchinSTC
Loading

Hi,

I'd like to run an enterprise gateway as the only user. There are a few reasons why one would want this including including no need for user impersonation and no noisy neighbors. The gateway is still very useful and lets me launch in other containers outside of the one my JupyterLab is running. This then becomes a direct replacement for remote_ikernel.

To make this work, two features would be very helpful:

2 can be done with below, but I'm not sure how we'd want to allow users to opt into this.

--- a/enterprise_gateway/services/processproxies/processproxy.py
+++ b/enterprise_gateway/services/processproxies/processproxy.py
@@ -340,12 +341,13 @@ class BaseProcessProxyABC(with_metaclass(abc.ABCMeta, object)):
         try:
             ssh = paramiko.SSHClient()
             ssh.load_system_host_keys()
-            ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
+            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
             host_ip = gethostbyname(host)
             if remote_pwd:
                 ssh.connect(host_ip, port=ssh_port, username=remote_user, password=remote_pwd)
             else:
-                ssh.connect(host_ip, port=ssh_port, username=remote_user)
+                ssh.connect(host_ip, port=ssh_port, gss_auth=True)
         except Exception as e:
             http_status_code = 500
             current_host = gethostbyname(gethostname())
@kevin-bates
Copy link
Member

This seems like a reasonable request. Unfortunately, I believe this would have to come in the form of a contribution since I know I don't have the bandwidth (or expertise) to tackle this.

From an opt-in perspective, I think this would be minimally accomplished using an env-switch - after which we could look into tieing to a configurable trait (if necessary).

Is this something you'd be interested in doing?

Support for unix sockets to connect to the gateway

Would this be similar to what was done in Notebook?

@mlucool
Copy link
Author

mlucool commented Mar 15, 2021

Is this something you'd be interested in doing?

We'd be happy to contribute this!

Would this be similar to what was done in Notebook?

Yes

@kevin-bates
Copy link
Member

Excellent! Thank you Marc (et al)!

I'm curious, does the --gateway-url=http://gateway-host:port syntax in the notebook/jupyter_server CLI/config change at all?

@Carreau
Copy link
Contributor

Carreau commented Mar 29, 2021

Support for unix sockets to connect to the gateway

Would this be similar to what was done in Notebook?

I've looked a bit into what is needed to make this work:

With tornado :

  • From what I can tell, this seem to not be too hard for normal http requests on the server (gateway) side,
  • Problem : It seem like tornado is fairly unhappy with unix-socket for anything websocket related. At least on the websocket client-side it seem to be a big no-no, as anything websocket related will no accept resolver and have many checks about protocols.

Adding a dependency:

  • websocket depende claim to support client with unix-socket , but has not seen a release since Nov 2019, author and library seem active on github though.
  • websocket-clienthave the same claim, and similar activity but had a more recent release. It does not claim to be stable though.

I believe instead of trying to do websocket over unix socket, another possibility is to write a version of ZMQChannelsHandler for the gateway but that read from unix-socket, and a version of GatewayWebSocketClient (for jupyter_server) that write to unix-sockets skipping most of the websocket-ish specificities, like protocol upgrade, compression etc...

We could also try to make a fake-websocket-like mock class that only support the features we need (like none of the compression; encryption and version upgrade); that might work but I'm unsure how that will interact with tornado.

I also know that ipykernel can use ipc between client and kernel; so there might be some possibilities there by actually using ZMQ/ipc between server and gateway;

I might be missing something especially on the tornado front; in which case I welcome pointers.

@kevin-bates
Copy link
Member

Thank you for your insights @Carreau. I'm going to have to defer to the others on this. @mlucool - do you have any thoughts on Matthias's comment?

Carreau added a commit to Carreau/enterprise_gateway that referenced this issue Apr 14, 2021
@Carreau
Allow SSH authentication via GSS.
154eced 
This attempt to implement GSS as requested in jupyter-server#946.

I've tried to also document the other environment variable, though I
couldn't find where or how they are supposed to be used.

I'm also currently trying to find a deployment that could use GSS to
test this, but haven't so far.

I'm assuming that if GSS is enabled then it takes priority over
username/password.
@Carreau Carreau mentioned this issue Apr 14, 2021
Merged
@Carreau
Copy link
Contributor

Carreau commented Apr 14, 2021

See #950 for the ssh/gss part, though I'm looking at a system where I can test that – or deploy one locally between VMS if not.

I've talked with @mlucool via private channels, and I think we will hold off for now on using a unix socket as it would be a major endeavour.

Carreau added a commit to Carreau/enterprise_gateway that referenced this issue May 31, 2021
@Carreau
Allow SSH authentication via GSS.
4dde8ca 
This attempt to implement GSS as requested in jupyter-server#946.

I've tried to also document the other environment variable, though I
couldn't find where or how they are supposed to be used.

I'm also currently trying to find a deployment that could use GSS to
test this, but haven't so far.

I'm assuming that if GSS is enabled then it takes priority over
username/password.
akchinSTC pushed a commit that referenced this issue Jun 1, 2021
@Carreau
Allow SSH authentication via GSS. (#950)
a29e9c6 
Allow SSH authentication via GSS

Adds support SSH connections using GSS (e.g. Kerberos) enabling deployment
without the use of an ssh key

Partial fix for #946
@kevin-bates kevin-bates added the future Postpone for future consideration. May be closed and re-opened later. label May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement future Postpone for future consideration. May be closed and re-opened later. runtime security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Carreau @mlucool @kevin-bates